With the government’s scramble In order to lock down the population after the COVID-19 pandemic was announced in March last year, some countries are already planning to reopen. By June, Jamaica became one of the first countries to open its borders.
Tourism accounts for about one-fifth of Jamaica’s economy. In 2019 alone, 4 million tourists visited Jamaica, bringing thousands of jobs to 3 million residents. But as COVID-19 extends into the summer, Jamaica’s economy is in free fall, and tourism is the only way out-even if it means sacrificing public health.
The Jamaican government has signed a contract with the Kingston-based technology company Amber Group to establish a border entry system so that residents and travelers can return to the island. The system is called JamCOVID and was launched as an app and website to allow visitors to be screened before they arrive. In order to cross the border, passengers must upload negative COVID-1
Dushyant Savadia, CEO of Amber Group, boasted that his company developed JamCOVID in “three days” and effectively donated the system to the Jamaican government. The Jamaican government paid Amber Group for additional features and self-reliance. Definition item. The deployment seemed successful, and Amber Group was subsequently awarded a contract to extend its border entry system to at least four other Caribbean islands.
But TechCrunch revealed last month that JamCOVID had exposed immigration documents, passport numbers and COVID-19 laboratory test results among nearly five million travelers (including many Americans) who visited the island in the past year. Amber Group has set the access rights to the JamCOVID cloud server to public, allowing anyone to access its data from its web browser.
Regardless of whether the data breach was caused by human error or negligence, it was an embarrassing mistake for a technology company (and expansion to the Jamaican government).
That may be over. Instead, the government’s reaction turned into a story.
A trio of security breaches
By the end of the first wave of coronavirus, contact tracing applications were still in their infancy, and few governments planned to screen travelers during entry and exit. The government fights for the establishment or acquisition of technology to understand the spread of the virus.
Jamaica is one of the few countries that uses location data to monitor travelers, which has prompted human rights groups to raise concerns about privacy and data protection.
As part of an extensive investigation of these COVID-19 apps and services, TechCrunch discovered that JamCOVID is storing data on exposed passwordless servers.
This is not the first time TechCrunch has found a security breach or exposed data through our report. This is not the first security panic related to the pandemic. Israeli spyware maker NSO Group keeps real location data on an unprotected server, which is used to demonstrate its new contact tracking system. Norway was one of the first countries to use a contact tracking application, but after the country’s privacy authority discovered that there was a privacy risk in continuously tracking the location of citizens, Norway withdrew the application.
Just like other stories, we contacted people we think are the owners of the server. We notified the Jamaican Ministry of Health of the data leak on the weekend of February 13, but after providing the Ministry of Health spokesperson Stephen Davidson with specific details of the exposure, we did not reply. Two days later, the data is still exposed.
After talking to two travelers whose US data leaked from the server, we narrowed the owner of the server to Amber Group. We contacted its CEO Savadia on February 16, who confirmed the email but did not comment, and the server was secured after about an hour.
We told our story that afternoon. After our announcement, the Jamaican government issued a statement claiming that the mistake was “discovered on February 16” and that it had been “immediately corrected”, but it was not true.
Is there a tip? Use SecureDrop to contact us securely.understand more Here.
Instead, the government conducted a criminal investigation to investigate whether there was an “unauthorized” access that led to unauthorized data, which led to our first story, which we believe is a frivolity against this publication Threat. The government stated that it has contacted overseas law enforcement partners.
Upon arrival, an FBI spokesperson declined to say whether the Jamaican government had contacted the agency.
For JamCOVID, the situation is not much better. In the days following the first story, the government hired a cloud consultant Escala 24×7 to evaluate the safety of JamCOVID. The findings of the investigation have not yet been announced, but the company expressed confidence that there are no “current loopholes” in JamCOVID. The Amber Group also stated that the mistake was a “completely isolated incident.”
A week later, TechCrunch alerted Amber Group about two other security vulnerabilities. After the first report attracted attention, a security researcher saw the news of the first theft and discovered that the JamCOVID server and database were hidden on its website and exposed the private key and password, while the third theft revealed it. Quarantine orders for more than 5 million passengers.
The Amber Group and the government said it faces “cyber attacks, hacking attacks and prank players.” In fact, the application is not that safe.
For the Jamaican government, the security lapse was a politically inconvenient period because it tried to activate the National ID System or NIDS for the second time. NIDS will store biographical data about Jamaican nationals, including their biological characteristics (such as fingerprints).
The Jamaican High Court overturned the government’s first law for violation of the Constitution, which is another repeated effort two years later.
Critics believe that the JamCOVID security breach was the reason for the deletion of the proposed national database. The coalition of privacy organizations cited the latest issue of JamCOVID because the national database “may be potentially dangerous to the privacy and security of Jamaicans.” A spokesperson for the Jamaican opposition party told the local media that “there is insufficient confidence in NIDS first.
More than a month has passed since we released the first story, and there are still many unresolved issues, including how Amber Group obtained the contract to build and run JamCOVID, how to expose the cloud server, and whether security tests were conducted before the release.
TechCrunch emailed the Prime Minister’s Office of Jamaica and the Minister of National Security of Jamaica, Matthew Samuda, asking how much the government had donated or paid to Amber Group to operate JamCOVID, and agreed on what security requirements (if any) regarding JamCOVID. We did not get a response.
Amber Group also did not disclose how much money it made from government contracts. Savadia of Amber Group refused to disclose the value of the contract to a local newspaper. Savadia did not respond to our emails about their contract issues.
After the second security blunder, Jamaica’s opposition party asked the Prime Minister to abandon the contract to manage the agreement between the government and the Amber Group. Prime Minister Andrew Holness said at a press conference that the public “should be aware” of government contracts, but warned that “legal barriers” may prevent disclosure, such as for national security reasons or the possibility of disclosing “sensitive Trade and business information”.
Just a few days later, the local newspaper Jamaica Gleaner asked for a contract to disclose the salaries of officials rejected by the government under a law that prevents the disclosure of private affairs. Critics argue that taxpayers have the right to know how many government officials they receive from public funds.
Jamaica’s opposition party also asked what it had done to notify the victims.
Government Minister Samuda initially downplayed the security breach, claiming that only 700 people were affected. We searched for evidence on social media, but found nothing. To date, we have not found any evidence that the Jamaican government has notified travelers about security incidents-either hundreds of thousands of affected travelers’ information was leaked, or the government claimed to have notified but not yet publicly released 700 people.
TechCrunch sent an email to the minister via email requesting a copy of the notice that the government allegedly sent to the victim, but we did not receive any response. We also invite comments from the Amber Group and the Prime Minister’s Office of Jamaica. We did not hear an echo.
Many victims of the security breach are from the United States. None of the people we talked to with the two Americans in the first report received notice of breach of contract.
Spokespersons for the attorneys general of New York and Florida, whose residents’ information has been exposed, told TechCrunch that although state laws require disclosure of data breaches, they have not received any information from the Jamaican government or contractors.
The reopening of Jamaica’s border comes at a price. In the following month, more than one hundred new COVID-19 cases appeared on the island, most of which came from the United States. From June to August, the number of new coronavirus infections per day ranged from tens to tens to hundreds.
To date, Jamaica has reported 39,500 cases and 600 deaths from the pandemic.
Prime Minister Hornes reflected on the decision to reopen the border in Parliament last month to announce the country’s annual budget. He said that the country’s last economic downturn was “caused by a 70% shrinkage of our tourism industry”. Hornes said that 525,000 travelers (including residents and tourists) have arrived in Jamaica since the border was opened, which is slightly higher than the number of travelers recorded on the exposed JamCOVID server in February.
Holness defended the reopening of the country’s borders.
“If we don’t do this, the decline in tourism income will be 100% instead of 75%, employment will not be restored, our balance of payments deficit will worsen, the government’s overall revenue will be threatened, and there will be no return. There is no doubt that more money will be spent,” he said.
Both the Jamaican government and the Amber Group have benefited from opening up the country’s borders. The government hopes to restore the economic downturn, and Amber Group enriches its business by signing new government contracts. However, no one pays enough attention to network security, and the victims of its negligence should also know why.
Send the reminder securely via Signal and WhatsApp to +1 646-755-8849. You can also use our SecureDrop to send files or documents. Learn more.